This Data Processing Agreement (DPA) applies to all processing of personal data that you as a Customer provide to Storyteq through Storyteq’s Services and is part of the Terms of Service under which we offer the Storyteq Services to you as a Customer.

In some cases, you, as a Customer, and Storyteq could have agreed on a separate Data Processing Agreement as part of your Agreement with Storyteq. In that case, the separate Data Processing Agreement prevails over this Agreement.

Terms such as “personal data”, “processing”, “data controller”, “data processor” and “personal data breach” shall have the meaning assigned to them under the applicable data protection legislation, such as the Regulation (EU) 2016/679 (General Data Protection Regulation).

Storyteq and Customer both acknowledge and agree that the exchange of personal data between the Parties does not form part of any monetary or other valuable consideration exchanged between the Parties with respect to the Agreement or this DPA.

Customer and Storyteq both acknowledge and understand that with respect to the processing of personal data (‘data subjects’), which Customer exports to Storyteq for the provision of the Services, Storyteq acts as a data processor.

  1. Customer hereby instructs Storyteq to process data subjects’ personal data to the extent required for the performance of the Services under the Agreement.

  2. Storyteq shall, in relation to any personal data which is processed in connection with the Services:

    1. process personal data only on documented instructions of Customer, unless otherwise required by the laws of any member of the European Union or by the laws of the European Union applicable to Storyteq to process personal data;

    2. only provide personnel with ‘need to know’ access to the personal data and ensure that all such personnel who have access to or process personal data are under a legal obligation to keep the personal data confidential;

    3. take appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the level of risk presented by the processing (and having regard to the nature of the personal data) and to the harm which might result from a personal data breach affecting the personal data;

    4. provide Customer with any assistance as reasonably requested by Customer in order to allow Customer to comply with obligations of Customer under the Data Protection Legislation, including the notification of personal data breaches, security of processing and assisting Customer with the performance of any relevant data protection impact assessment;

    5. provide Customer with reasonable assistance in order to allow Customer to comply with its obligations to data subjects who exercise their rights under the Data Protection Legislation. Storyteq will make available technical and organizational measures to allow Customer to fulfil these obligations via the account of the Customer.

    6. at Customer’s choice, delete or return personal data and copies thereof to Customer on termination of Customer’s agreement with Storyteq, unless otherwise required by applicable laws;

    7. maintain records as required under the Data Protection Legislation of the processing activities carried out under the Agreement and this DPA;

    8. be prohibited from retaining, using, or disclosing the personal data for any purpose other than as specified in the Agreement, as set out in this DPA, or as otherwise permitted by the Data Protection Legislation, unless Storyteq is required to do so due to a legal obligation, in which case it will act as a data controller; not further collect, sell, or use personal data except as necessary for the fulfilment of the Agreement.

    9. notify Customer as soon as reasonably possible if Storyteq receives a notice or communication from a governmental or regulatory body which relates directly to the processing of personal data, as instructed and provided by Customer, by Storyteq or its (sub-)processors, unless notifying Customer of such notice or communication is prohibited by law.

  3. Customer hereby instructs Storyteq to process data subjects’ personal data to the extent required for the performance of the Services under the Agreement.

  4. Customer represents and warrants that it has provided notice to any end-user that the personal data is being used or shared in accordance with any applicable legislation (such as the GDPR).

  5. If Customer acts as a data controller, Customer guarantees that all processing activities are lawful, have a specific purpose, and any required notices and consents or otherwise appropriate legal basis are in place to enable lawful transfer of personal data. If Customer is a data processor (in which case Storyteq will act as a sub-processor), Customer ensures that the relevant data controller guarantees that the conditions listed in this clause are met.

  6. By means of this clause, Customer gives Storyteq a general written authorization for the engagement of any other third parties as new sub-processors for the processing of personal data, subject to the terms of this DPA. Storyteq will not engage any sub-processor in the processing of personal data under this Agreement without prior informing Customer of any intended change concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. Customer may reasonably object to Storyteq’s use of a new sub-processor (where using such a new sub-processor would weaken the protections for Personal Data provided in this DPA) by notifying Storyteq promptly in writing within five (5) business days’ notice period. Such notice shall explain the reasonable grounds for the objection. Where Customer objects to the new sub-processor, Storyteq shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed sub-processor. If Storyteq is unable to make such change available within thirty (30) business days from Storyteq’s receipt of Customer's notice, either party may terminate the applicable features of the services which cannot be provided by Storyteq without the use of the proposed sub-processor.

  7. Customer specifically agrees to the engagement of the entities listed at Data Policy as sub-processors of Storyteq for the processing of personal data. Storyteq shall update the list of sub-processors when a new sub-processor for the processing of personal data is engaged.

  8. Storyteq will take all available and appropriate contractual measures to ensure that when a sub-processor is engaged:

    1. the sub-processor will only process personal data if such processing is necessary for the performance of the Services or a part thereof, and comply with the specific instructions stated in the Agreement, and;

    2. data protection obligations providing similar protection as those in this DPA shall be imposed on the sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation.

  9. Storyteq remains liable to Customer under this DPA for the performance of the data protection obligations of its sub-processor.

  10. Details of the processing:

    1. Subject matter and purpose of the processing: provision of the Services of Storyteq to Customer.

    2. Categories of personal data: information on end-users that Customer provides to Storyteq through the Services.

    3. Categories of data subjects: Data subjects can include customers of the Customer, employees, suppliers, and any other natural person who is the End-User of Services, from whom Customer provides personal data through the use of the Services.

    4. Duration of the processing: personal data will be processed for as long as required for the performance of the Services, or as required under applicable law.

  11. This Data Processing Agreement is governed by the laws of The Netherlands, and the Parties submit to the exclusive jurisdiction of Amsterdam courts for all purposes connected with this DPA, including the enforcement of any award or judgement made under or in connection with it.